From 340e3fa48a3689510082f4e9a0d9dda7c7776c5c Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 7 Sep 2022 11:37:24 -0700
Subject: [PATCH] Fix OP_CHECK_THIS to read 1 byte instead of 4/8 on
 x86/x64/LLVM. (#74762)

Current implementation of OP_CHECK_THIS on x86/x64 and LLVM does a
memory read of at least 4 bytes. This creates an issue when the
target is a managed pointer, since that could point to the interior
of a type, meaning it can read pass the allocated memory causing
a crash. Fix change the size of the read to one byte since the only
reason doing the read is to validate that the reference, managed pointer
is not NULL. Reading only one byte is also inline with how it is
implemented on arm/arm64, and it will reduce potential unaligned
reads on x86/x64.

Full fix for, https://github.com/dotnet/runtime/issues/74179.

Co-authored-by: lateralusX <lateralusx.github@gmail.com>
---
 src/mono/mono/arch/amd64/amd64-codegen.h | 1 +
 src/mono/mono/arch/x86/x86-codegen.h     | 7 +++++++
 src/mono/mono/mini/mini-amd64.c          | 2 +-
 src/mono/mono/mini/mini-llvm.c           | 2 +-
 src/mono/mono/mini/mini-x86.c            | 7 ++-----
 5 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/mono/mono/arch/amd64/amd64-codegen.h b/src/mono/mono/arch/amd64/amd64-codegen.h
index ccd82d1ac172d..9ac73b9853c46 100644
--- a/src/mono/mono/arch/amd64/amd64-codegen.h
+++ b/src/mono/mono/arch/amd64/amd64-codegen.h
@@ -1206,6 +1206,7 @@ typedef union {
 #define amd64_alu_membase8_imm_size(inst,opc,basereg,disp,imm,size) do { amd64_codegen_pre(inst); amd64_emit_rex ((inst),(size),0,0,(basereg)); x86_alu_membase8_imm((inst),(opc),((basereg)&0x7),(disp),(imm)); amd64_codegen_post(inst); } while (0)
 #define amd64_alu_mem_reg_size(inst,opc,mem,reg,size) do { amd64_codegen_pre(inst); amd64_emit_rex ((inst),(size),0,0,(reg)); x86_alu_mem_reg((inst),(opc),(mem),((reg)&0x7)); amd64_codegen_post(inst); } while (0)
 #define amd64_alu_membase_reg_size(inst,opc,basereg,disp,reg,size) do { amd64_codegen_pre(inst); amd64_emit_rex ((inst),(size),(reg),0,(basereg)); x86_alu_membase_reg((inst),(opc),((basereg)&0x7),(disp),((reg)&0x7)); amd64_codegen_post(inst); } while (0)
+#define amd64_alu_membase8_reg_size(inst,opc,basereg,disp,reg,size) do { amd64_codegen_pre(inst); amd64_emit_rex ((inst),(size),(reg),0,(basereg)); x86_alu_membase8_reg((inst),(opc),((basereg)&0x7),(disp),((reg)&0x7)); amd64_codegen_post(inst); } while (0)
 //#define amd64_alu_reg_reg_size(inst,opc,dreg,reg,size) do { amd64_codegen_pre(inst); amd64_emit_rex ((inst),(size),(dreg),0,(reg)); x86_alu_reg_reg((inst),(opc),((dreg)&0x7),((reg)&0x7)); amd64_codegen_post(inst); } while (0)
 #define amd64_alu_reg8_reg8_size(inst,opc,dreg,reg,is_dreg_h,is_reg_h,size) do { amd64_codegen_pre(inst); amd64_emit_rex ((inst),(size),(dreg),0,(reg)); x86_alu_reg8_reg8((inst),(opc),((dreg)&0x7),((reg)&0x7),(is_dreg_h),(is_reg_h)); amd64_codegen_post(inst); } while (0)
 #define amd64_alu_reg_mem_size(inst,opc,reg,mem,size) do { amd64_codegen_pre(inst); amd64_emit_rex ((inst),(size),0,0,(reg)); x86_alu_reg_mem((inst),(opc),((reg)&0x7),(mem)); amd64_codegen_post(inst); } while (0)
diff --git a/src/mono/mono/arch/x86/x86-codegen.h b/src/mono/mono/arch/x86/x86-codegen.h
index 74f96f81af407..aca2b659ca058 100644
--- a/src/mono/mono/arch/x86/x86-codegen.h
+++ b/src/mono/mono/arch/x86/x86-codegen.h
@@ -682,6 +682,13 @@ mono_x86_patch_inline (guchar* code, gpointer target)
 		x86_membase_emit ((inst), (reg), (basereg), (disp));	\
 	} while (0)
 
+#define x86_alu_membase8_reg(inst,opc,basereg,disp,reg)	\
+	do {	\
+		x86_codegen_pre(&(inst), 1 + kMaxMembaseEmitPadding); \
+		x86_byte (inst, (((unsigned char)(opc)) << 3));	\
+		x86_membase_emit ((inst), (reg), (basereg), (disp));	\
+	} while (0)
+
 #define x86_alu_reg_reg(inst,opc,dreg,reg)	\
 	do {	\
 		x86_codegen_pre(&(inst), 2); \
diff --git a/src/mono/mono/mini/mini-amd64.c b/src/mono/mono/mini/mini-amd64.c
index 3f52a94732440..bc4eedd8f86c5 100644
--- a/src/mono/mono/mini/mini-amd64.c
+++ b/src/mono/mono/mini/mini-amd64.c
@@ -5511,7 +5511,7 @@ mono_arch_output_basic_block (MonoCompile *cfg, MonoBasicBlock *bb)
 		}
 		case OP_CHECK_THIS:
 			/* ensure ins->sreg1 is not NULL */
-			amd64_alu_membase_imm_size (code, X86_CMP, ins->sreg1, 0, 0, 4);
+			amd64_alu_membase8_reg_size (code, X86_CMP, ins->sreg1, 0, ins->sreg1, 1);
 			break;
 		case OP_ARGLIST: {
 			amd64_lea_membase (code, AMD64_R11, cfg->frame_reg, cfg->sig_cookie);
diff --git a/src/mono/mono/mini/mini-llvm.c b/src/mono/mono/mini/mini-llvm.c
index 3d7a809c2173a..e6224e598f670 100644
--- a/src/mono/mono/mini/mini-llvm.c
+++ b/src/mono/mono/mini/mini-llvm.c
@@ -6856,7 +6856,7 @@ MONO_RESTORE_WARNING
 		}
 
 		case OP_CHECK_THIS:
-			LLVMBuildLoad2 (builder, IntPtrType (), convert (ctx, lhs, pointer_type (IntPtrType ())), "");
+			LLVMBuildLoad2 (builder, LLVMInt8Type (), convert (ctx, lhs, pointer_type (LLVMInt8Type ())), "");
 			break;
 		case OP_OUTARG_VTRETADDR:
 			break;
diff --git a/src/mono/mono/mini/mini-x86.c b/src/mono/mono/mini/mini-x86.c
index 6680b08f72d28..1006eabf989e5 100644
--- a/src/mono/mono/mini/mini-x86.c
+++ b/src/mono/mono/mini/mini-x86.c
@@ -3192,11 +3192,8 @@ mono_arch_output_basic_block (MonoCompile *cfg, MonoBasicBlock *bb)
 			break;
 		}
 		case OP_CHECK_THIS:
-			/* ensure ins->sreg1 is not NULL
-			 * note that cmp DWORD PTR [eax], eax is one byte shorter than
-			 * cmp DWORD PTR [eax], 0
-		         */
-			x86_alu_membase_reg (code, X86_CMP, ins->sreg1, 0, ins->sreg1);
+			/* ensure ins->sreg1 is not NULL */
+			x86_alu_membase8_reg (code, X86_CMP, ins->sreg1, 0, ins->sreg1);
 			break;
 		case OP_ARGLIST: {
 			int hreg = ins->sreg1 == X86_EAX? X86_ECX: X86_EAX;